Citrix and ZA > Re-install ZA

I get the following error message when I try to get into applications (e.g., Outlook, Word, Excel) remotely via my office's Citrix server: &quot;Cannot connect to the Citrix mainframe server. SSL Error 4: Attempted to connect using the (TLS V1.0 | SSL V3.0) protocol(s). The server rejected the connection.&quot; Alternatively, I get the message: &quot;Citrix SSL server you have selected is not accepting connections.&quot;

It seems to be a firewall issue. I use ZoneAlarm Security Suite, and I can get into the applications when the firewall software is shut down. I've attempted to have the firewall recognize the Citrix application and website, but that doesn't seem to help.

I'm no techie on this stuff, so please be technically gentle in any response. Thanks.
Bob

Re: Citrix and ZA

Dear risman:

What web interface are you using to connect to the Citrix server? I've seen this SSL error(the first one) on browsers when your browser's encryption protocols, such as SSL 3.0/TLS 1.0, are set at their highest, such as 256-bit, but the server only supports a lower encryption setting such as 128-bit or a different encryption protocol such as SSL 2.0. Go into your web interface and find the configuration settings for SSL and change this to a lower setting if necessary. Keep in mind that the lower bit encryption is not as secure and neither is SSL 2.0 when compared to 3.0 or TLS.

The 2nd error message means the server has the maximum number of connections it is configured for and won't accept any new logons. There are too many people logged on and you'll just have to wait and recheck after a period of time. There's no getting around this one.

Re: Citrix and ZA

I have Firefox 2.0.0.11 and IE 7.0--it happens with both of them. I don't know how to change SSL settings to a lower level other than to disable altogether. I tried that with Firefox, but I then get the message &quot;Firefox can't connect securely to [website] because the SSL protocol has been disabled. However, it doesn't make sense to me that it's the browser, because when ZA is disabled, I can access the site fine. So it seems like there should be something to tinker with in ZA, but I can't figure what it might be.

Re: Citrix and ZA

<blockquote><hr>risman wrote:
I have Firefox 2.0.0.11 and IE 7.0--it happens with both of them. I don't know how to change SSL settings to a lower level other than to disable altogether. I tried that with Firefox, but I then get the message "Firefox can't connect securely to [website] because the SSL protocol has been disabled. However, it doesn't make sense to me that it's the browser, because when ZA is disabled, I can access the site fine. So it seems like there should be something to tinker with in ZA, but I can't figure what it might be.
<hr></blockquote>
Make sure the server IP or IP range that is for your Citrix on your laptop/desktop is entered as Trusted in the Zones.
Make sure the Citrix listed in the ZA Program listing has server rights for the Trusted Zone, along with the Trusted and Internet Access and the Mail rights.
Make sure the Privacy of the ZA has all green checks or all allowed in the Mobile code for the Citrix servers that you use.
Make sure the "allow uncommon protocols at High security" is checked in the Advanced of the Firewall.
Make sure the ports used by the Citrix are entered into the Custom of the Firewall for both inbound and outbound.
Still more ideas yet.

Re: Citrix and ZA

I've done all of that except the last suggestion: &quot;Make sure the ports used by the Citrix are entered into the Custom of the Firewall for both inbound and outbound.&quot; How do I know what ports those are?

Re: Citrix and ZA

Just looking at the IANA port list, there is mention of 1494 tcp/udp, 1604 tcp/udp, 2312 tcp/udp, 2512 tcp/udp, 2513 tcp/udp, 2598 tcp/udp and 2897 tc/udpp for various Citrix features. However the Citix listed in the IANA port list is probabaly missing a needed few ports.

I would be more inclined to use the Expert Rules for the Citrix along with the Expert of the Firewall, however just entering the needed ports into the Custom section of the Main of the Firewall usually does what is needed and will make it work.

One of the easiest no effort, yet time consuming, method to trouble shoot ports/protocols with a firewall is set the firewall alerts to High and set the logging to High. Then run the application. Note each alert for ports, protcol and IP related to the application and of course inbound/outbound directions. Then add the ports for both local and remote(and sometimes port ranges), the protocol, and the IP (also as range sometimes) to the the rules. Then try it again. Keep repeating until all is finally added and it works. Checking the firewall logs in between all of this for dropped packets - this help find the needed data as well. In the end , after going step by step, this approach does yield results.

Very often just giving the Citrix (as with many applications needing open ports) server rights for the Trusted and Internet Zones and adding the required servers as Trusted in the Zones ,will resolve the problem. Often the easiest.

Plus if there is a router with SPI/NAT and/or a modem with NAT in front of the PC, the needed ports will have to be forwarded in the hardware. Or else it still will not work.